

Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending October 9th
Giving back is 💖 - an ode to open source in cyber defence
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week it has been driven by the disclosure of vulnerabilities such as the new zero days exploited in Microsoft Exchange (in less than 10 organisations globally it transpires) at the start. In the middle we had the flap about Chinese APT in the defence supply base in the US. Then towards the end of the week the Fortinet vulnerabilities (critical remotes). It is almost like everything is systemically vulnerable and we are playing whack a mole.
In the high-level this week:
A Proclamation on Cybersecurity Awareness Month, 2022 - The White House doing what it does best as we enter October.
Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and Education - The White House - scale of the talent supply gap is key here - with estimates of approximately 700,000 open positions.
Fake CISO Profiles on LinkedIn Target Fortune 500s - given the general trend not surprising - but someone is going big and not going home, but one would hope LinkedIn and all the ML goodness should be able to nuke this and similar.
New Pegasus Spyware Abuses Identified in Mexico - Pegasus continues to be the cause of regret for many. Should help with counter proliferation..
Europe's Watergate - 14 EU states are known to have had Pegasus - I suspect some of those states will have new policies developed to never allow that to happen again without oversight and thus slowing them down.
The Ministry of Internal Affairs of the Russian Federation will create a department for organizing the fight against cybercrime - no giggling at the back.
Binding Operational Directive 23-01 - Improving Asset Visibility And Vulnerability Detection On Federal Networks - the opening line will make a lot of companies weep - Continuous and comprehensive asset visibility is a basic pre-condition for any organization - in my experience many don’t have said basic pre-condition in place.
NSA, CISA, FBI Warn of Custom Exfiltration Tools Being Used Against Defense Industrial Base Organization - big disclosure this week by USG que frantic thrashing by a sector.
NSA, CISA, FBI Reveal Top CVEs Exploited by Chinese State - there is both the technical dimension to this but also the signalling dimension..
DSA: Council (of Europe) gives final approval to the protection of users' rights online - online protection taking a whole society approach in Europe.
DoD Releases List of People's Republic of China (PRC) Military Companies in Accordance With Section 1260H of the National Defense Authorization Act for Fiscal Year 2021 - one cyber company listed.
Canadian National Sentenced in Connection with Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms - 20 years in the clink.
Former Uber security chief convicted of covering up 2016 data breach - lots of coverage on this - but no it doesn’t mean generally you are at risk of going to jail as a CISO (unless you plan to do a massive coverup).
Big tech regulation: in search of a new framework - shows how financial regulators are wrestling with technology evolution as they propose a possible new approach.
Cyber diplomacy: a new way to visualise UN voting records - if you want a visual means to understand bifurcation in the world and/or blunting activity (see last week) this is a great tool in the cyber domain.
Reflections this week is that the below is a pretty major moment in the whole ‘is cyber important’ in international security and relations debate.


What I am now curious is to see how quickly other countries follow suite..
Otherwise big week for NCC Group, as we did to forensics what previously we did to cloud security assessments with Scout. In short we released as open source Dissect which is our internal forensics framework designed for large scale investigations via our Dutch subsidiary. Go forth and find those nation states who have been latent in your environment for 5 years..
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Saturday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
Peter Kálnai details continued North Korean activity in Europe. The fact they have developed tradecraft to utilise a Bring Your Own Vulnerable Driver style approach is the aspect of note.
The Lazarus campaign targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.
The most notable tool used in this campaign represents the first recorded abuse of the CVE‑2021‑21551 vulnerability. This vulnerability affects Dell DBUtil drivers; Dell provided a security update in May 2021.
This tool, in combination with the vulnerability, disables the monitoring of all security solutions on compromised machines. It uses techniques against Windows kernel mechanisms that have never been observed in malware before.
Lazarus also used in this campaign their fully featured HTTP(S) backdoor known as BLINDINGCAN.
The complexity of the attack indicates that Lazarus consists of a large team that is systematically organized and well prepared.
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
https://www.virusbulletin.com/uploads/pdf/conference/vb2022/VB2022-Kalnai-Havranek.pdf
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
Chinese activity in Myanmar the actual tradecraft is pretty stock, so not advanced by any stretch in 2022. But highlights once more China continues to infiltrate its neighbours.
Our team analyzed the samples in question and found their embedded configurations revealed a set of command-and-control (C2) domains that masquerade as Myanmar news outlets.
This threat actor has been previously linked to campaigns targeting Myanmar government entities using custom lures and compromising the website of the office of Myanmar’s president.
The TTPs associated with the campaign covered in this report align with those of Mustang Panda. We observed a typical attack chain employed by the group, where attackers used a benign executable to side-load a malicious DLL loader, which then decrypts and loads the PlugX implant. We have also confirmed the C2 infrastructure associated with this campaign has been used to target entities in Myanmar, including a government VPN portal, from early March onwards.
Malicious Tor Browser spreads through YouTube
Leonid Bezvershenko shows a clear campaign against users seeking anonymity in China. This is the second time in the last month or so we have seen social video used as a means to distribute implants.
We identified multiple downloads of previously unclustered malicious Tor Browser installers. According to our telemetry, all the victims targeted by these installers are located in China. As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third-party websites. In our case, a link to a malicious Tor installer was posted on a popular Chinese-language YouTube channel devoted to anonymity on the internet.
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/
Apollo OTP Bot Exploiting Google Voice for MFA Bypass
Robotic Process Automation (RPA) arrives for cyber criminals. A natural evolution, but the end-to-end integrated nature is kind of impressive / concerning.
The bot service started operations on Telegram in March 2022 and has gained a large following among cybercriminals.
The bot provides the same features as the other bots on the market such as the Generaly OTP Bot. These include OTP stealing and using a legitimate infrastructure to conduct operations.
The bot makes use of various modules to facilitate services: targeting crypto apps, e-commerce stores, etc.
The actor has quoted a starting price of USD 20 per hour for the bot’s services.
..
The actor provides the victim’s information to the bot. In this case, the phone number is entered (using a bot command).
A custom script selected by the actor is used to guide the conversation. Multiple scripts are available for selection.
The actor will need to know the following:
Length of the OTP code
Victim’s name
Business name (Being used to masquerade as a legitimate business).
The bot impersonates a legitimate entity (bank, e-commerce store, etc) by making a spoofed call from the toll-free customer care number to the intended target.
The victim is instructed to press ‘1’ on their mobile phone.
Once the victim trusts the bot and enters the OTP from the SMS, it is received by the bot.
The OTP is successfully captured and displayed on the screen of the Discord bot.
https://cloudsek.com/threatintelligence/apollo-otp-bot-exploiting-google-voice-for-mfa-bypass/
Tracking Earth Aughisky’s Malware and Changes
CH Lei documents what happens now we have longitudinal studies of some threat actors and their capability development from China. Fascinating insight and 😘 quality research.
For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed.
https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html
https://documents.trendmicro.com/assets/white_papers/wp-the-rise-of-earth-aughisky.pdf
DeftTorero TTPs in 2019–2021 - aka Lebanese Cedar, Volatile Cedar
Threat actor from Lebanon who is exploiting web vulnerabilities in order to secure their initial access. Active since at least 2015 in the region it is clear their primary tactics haven’t changed too much over the years.
During our intrusion analysis of DeftTorero’s webshells, such as Caterpillar, we noticed traces that infer the threat actor possibly exploited a file upload form and/or a command injection vulnerability in a functional or staging website hosted on the target web server.
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
Remove All The Callbacks – BlackByte Ransomware Disables EDR via RTCore64.sys Abuse
Andreas Klopsch details further vulnerable Windows driver abuse to systematically disable endpoint products. This is why ensuring proof of life and proof of function of your EDR (i.e. EDR health) will become ever critical. That and WDAC (when it works).
RTCore64.sys and RTCore32.sys are drivers used by Micro-Star’s MSI AfterBurner 4.6.2.15658, a widely used graphics card overclocking utility that gives extended control over graphic cards on the system. CVE-2019-16098 allows an authenticated user to read and write to arbitrary memory, which could be exploited for privilege escalation, code execution under high privileges, or information disclosure.
The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection
https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/
Water Labbu Abuses Malicious DApps to Steal Cryptocurrency
Joseph C Chen and Jaromir Horejsi show that Web3 complexity in decentralised finance is just a tyre fire. When you look at this through a socio technical lens it makes me weep.
We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites.
In a parasitic manner, the threat actor compromised the websites of other scammers posing as a decentralized application (DApp) and injected malicious JavaScript code into them
When the threat actor finds a victim who has a large amount of cryptocurrency stored in a wallet that is connected to one of the scam websites, the injected JavaScript payload will send a request for permissions. The request is disguised to look like it was being sent from a compromised website and asks for permission (token allowance) to transfer a nearly-unlimited amount of USD Tether (USDT, which is a stablecoin pegged to the US dollar with a value of 1:1) from the target’s wallet
Analysis of LilithBot Malware and Eternity Threat Group
Shatak Jain and Aditya Sharma outs an info stealer using an as-Service model. We know such stealers feed initial access brokers and here is a new(ish) one from Russia.
[Our] research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022. Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.
Threat groups have been enhancing their capabilities and selling them as Malware-as-a-Service (MaaS) in exchange for a membership fee. One such cyber criminal group, dubbed “Eternity,” has been found selling the malware “LilithBot”
“LilithBot” is distributed by Eternity via a dedicated Telegram channel from which we can purchase it via Tor. It has advanced capabilities to be used as a miner, stealer, and a clipper along with its persistence mechanisms.
The group has been continuously enhancing the malware, adding improvements such as anti-debug and anti-VM checks.
The malware registers itself on the system and decrypts itself step by step, dropping its configuration file.
LilithBot uses various types of fields such as license key, encoding key, and GUID which is encrypted via AES and decrypts itself at runtime.
It steals all the information and uploads itself as a zip file to its Command and Control.
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
Bumblebee: increasing its capacity and evolving its TTPs
Marc Salinas Fernandez shows that Bumblebee are able to triage their victims and then vary what the latter stages get delivered.
Bumblebee is in constant evolution, which is best demonstrated by the fact that the loader system has undergone a radical change twice in the range of a few days — first from the use of ISO format files to VHD format files containing a powershell script, then back again.
Changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicate that the attackers may have shifted their focus from extensive testing of their malware to reach as many victims as possible.
Bumblebee payloads vary greatly based on the type of victim. Infected standalone computers will likely be hit with banking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike.
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/
Supply Chain Attack - Comm100 Chat Installer
So headlines were written on this ‘supply chain attack’ for a Canadian app no one had heard of (didn’t stop the media coverage). To give a sense this app had about 10,000 downloads in a country with a population of 38 million.
That being said there is moderate confidence that a Chinese actor did this attack and the customers of the product include a health cluster of firms.
https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/
MSSQL, meet Maggie - a novel backdoor malware targeting Microsoft SQL servers
Johann Aydinbas and Axel Wauer detail an interesting SQL server backdoor. The fact it was code signed as well shows an extra dimension here.
The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server.
Based on this finding, we identified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
HyperBro from an incident at a Defense Industrial Base (DIB) Sector organization
This is the US Governments analysis of the implants from the Chinese incursions into the defence firms. Some points of note:
So some components spoof CyberArk
Some of the components are side loaded
They are hell noisy - including creating autorun entries!!
https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b
Winnti 4.0 and ShadowPad C2 IoCs discovered by the Internet-wide C2 scanning
List of IoCs discovered through active discovery.
https://github.com/carbonblack/active_c2_ioc_public
Discovery
How we find and understand the latent compromises within our environments.
Trying to attribute newest Microsoft Exchange 0-day campaign
Put you best shocked face for the conclusion
After conducting further investigation, [we were] able to attribute the newest campaign which utilizes a new 0-day RCE vulnerability on MS Exchange servers with medium confidence to a Chinese state-sponsored threat actor.
https://atos.net/en/lp/security-dive-blog-vulnerability-0-day-exchange
Dissect
Dissect is an incident response framework for collecting and analyzing very large amounts of data in the context of an investigation. It enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated during and after an attack. Fox-IT (part of NCC Group) developed Dissect and is now making the framework available to everyone as open source software.
The Dissect website, https://www.fox-it.com/nl-en/dissect/, provides more background on Dissect and its capabilities. If you are more interested in the technology itself, dive right into the Gitlab repository here: https://github.com/fox-it/dissect.
Defence
How we proactively defend our environments.
CA Optics - Azure AD Conditional Access gap analyser
As the complexity grows tooling such as this becomes invaluable.
Azure AD Conditional Access Gap Analyzer is a solution for scanning gaps that might exist within complex Azure Active Directory Conditional Access Policy setups.
https://github.com/jsa2/caOptics#ca-optics---azure-ad-conditional-access-gap-analyzer
Detecting DnsHostName Spoofing with Microsoft Defender for Identity
Eran Nachshon shows that you can detect this logic flaw. Interesting they had to release a hotfix to do so.
The vulnerability can be exploited by attackers impersonating another machine account and issuing a certificate on behalf of that account in AD environments where Active Directory Certificate Services (AD CS) is also installed, resulting in computer account take-over and even domain controller take-over, which effectively grants an attacker a clear path for full domain credentials compromise.
Microsoft is applying a hotfix to Microsoft Defender for Identity version 2.179 so this detection is available immediately. This hotfix (2.179.15243) includes a new security alert: Suspicious modification of a DnsHostName attribute (CVE-2022-26923 exploitation).
Basic Recon Automation Using Github Actions
Fernando Guisso brings asset discovery and service enumeration into CI/CD by using Github actions to drive Amass, Naabu and Nuclei etc.
https://guisso.dev/posts/github-actions-recon-en/
https://github.com/fguisso/ga-recon
Vulnerability
Our attack surface.
CVE-2022-40684: FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1 / FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0 - Critical vulnerability
https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/289806/resolved-issues
https://docs.fortinet.com/document/fortigate/7.0.7/fortios-release-notes/289806/resolved-issues
Offense
Attack capability, techniques and tradecraft.
Phishing With Chromium's Application Mode
Neat evolution in Phishing here to remove / reduce the tells we have trained our users to look for 😭
Chromium-based browsers such as Google Chrome and Microsoft Edge support the
--app
command line flag. This flag will launch a website in application mode which does several things:
Causes the site to be launched in a separate browser window
The launched window is given a desktop application appearance rather than a browser appearance
The Windows Taskbar displays the website’s favicon rather than the browser’s icon
Launches the website while hiding the address bar
https://mrd0x.com/phishing-with-chromium-application-mode/
ChTimeStamp: Changing the Creation time and the Last Written time of a dropped files
Time stomping in a tool for Windows.. oh boy..
https://github.com/D1rkMtr/ChTimeStamp/tree/main
Iscariot Suite
When attackers turn our own tools against us by Erik Hustad and Alberto Rodriguez.
The Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
Using an osquery extension, a user can execute binaries, shell commands, unmodified Cobalt Strike BOFs, and C# assemblies in memory
The extension runs as its own process, but a child of the digitally signed osqueryd.exe
The video of the talk can be seen here:
https://gitlab.com/badsectorlabs/iscariot-suite
Exploitation
What is being exploited.
CVE-2022-41040 and CVE-2022-41082: Exchange vulnerabilities
The Exchange vulns which were actively exploited in less than ten organisations.
Patch presence checker:
NMAP check:
Detection rules:
How Water Labbu Exploits Electron-Based Applications
Joseph C Chen and Jaromir Horejsi provide further details on the end to end exploitation. Attacker capability to pull off some sophisticated exploitation is of note in order to steal crypto funds.
We discovered that the Cobalt Strike instance added a persistence registry key to load an exploit file from an online code repository controlled by Water Labbu. The repository hosted multiple exploit files of CVE-2021-21220 (a Chromium vulnerability affecting versions before 89.0.4389.128) to execute a Cobalt Strike stager. It also contained files designed to target Meiqia (美洽), a Chinese desktop-based live chat app for online customer support that is used on websites. MeiQia (美洽) was developed using ElectronJS — a framework that employs Chromium core, and therefore is vulnerable to Chromium’s vulnerabilities.
We observed that many cryptocurrency scam websites that were compromised in this campaign also embedded Meiqia to provide an option for easy communication with potential victims. This association suggests that Water Labbu likely sends the exploit via the live chat box. To support this claim, we found an exploit HTML file sample containing a screenshot that looks like a withdrawal confirmation for cryptocurrency funds.
Tooling and Techniques
Low level tooling for attack and defence researchers.
SymBuiler for WinDbg
The way is was described by Tim Misiak was
just added a new sample to our WinDbg-Samples repo, and this one is really cool. It's called SymBuilder, and it lets you create synthetic symbols completely from the data model! I can imagine some really cool extensions that could build on this.
Their opener is:
This sample is an example of a modification of the service container. The sample plug-in inserts a symbol provider into the service container. This symbol provider allows the plug-in to handle symbols for any module that it wishes instead of relying on PDBs or export symbols within a binary.
https://github.com/microsoft/WinDbg-Samples/blob/master/TargetComposition/SymBuilder/Readme.txt
IcedID decrypter
Matthew provides tooling that many who work in the organised crime malware eco system will be grateful for.
A script to statically decrypt
license.dat
files associated with IcedID infections.The script will also decrypt the
.data
section from unpacked IcedID samples.Notes:
The script will automatically detect whether a PE file or license.dat file has been given.
If a PE has been provided, the script assumes that the file has been unpacked first.
If a decryption is successful, a raw dump will be written to output.bin
As well, a quick string search will be performed, and detected strings written to a file.
If an unpacked PE has been provided, C2's will be displayed on the screen.
https://github.com/matthewB-huntress/IcedID
Windows Packet Divert (WinDivert)
Should help some folk..
Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows 10, Windows 11, and Windows Server.
WinDivert allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack. In summary, WinDivert can:
capture network packets
filter/drop network packets
sniff network packets
(re)inject network packets
modify network packets
https://reqrypt.org/windivert.html
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
UK Ransomware Trends 2022 - Contains which industries you should go after as it highlights who is the richest be you a sales person or a ransomware operator.
Delivery of Malware: A Look at Phishing Campaigns in Q3 2022
Monthly Threat Actor Group Intelligence Report, August 2022 - from Korea
Cyber Security & Insurance Leaders and podcast - An interesting podcast on the Venn between cyber and insurance.
The New Era of Hacktivism – State-Mobilized Hacktivism Proliferates to the West and Beyond - Good summary of the challenges
Exploiting COVID-19: how threat actors hijacked a pandemic - A retrospective look at how COVID-19 was used in phishing.
Project REVEAL - New research into North Korea’s digital control system - interesting look into domestic a North Korea technology eco system
Multipurpose synthetic population for policy applications - can you use synthetic population model to drive policy? There is no easy answer..
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
That’s all folks.. until next week..